API: Auth

Filename:
authPerms_{userType}.cnfg

Released With:
5.0.0

Current Version:
2.0.0

Status: Active

Min Lasso Tested: 8.1.0

Max Lasso Tested: 8.5.3

Related:

fwp_user

Module Title

authPerms_{userType} (Config)

Description

The fwp_user custom type uses a matrix of data set names and permissions per data set to define the privileges of a logged in user. The matrix is defined in a configuration file which specifies the names used to refer to them in source code as well as the labels displayed in the HTML table created for the user administration pages.

The name of the file must begin with authPerms_, but then has a unique name associated with a specific instance of fwp_user. The pageblocks framework is written to support multiple user definitions, though a single user object is sufficient for the vast majority of sites. In the example below, the config file is being used to define the permissions of the default site user object, so the file could be named authPerms_default.cnfg. The file extension must match the one set in $fw_kCnfgExt.

The config file begins with a group of permissions common to all data sets. Each permission is a pair in the format of codeName=displayName. The code name is used to build variable names. The display name is used to build a user interface for editing the permissions. After the common permissions, each data set is defined, and with each data set any permissions unique to only that data set are specified. The {} braces are used to group data sets together. This format helps make the parsing simpler with regular expressions. Blank lines and lines beginning with # or // are ignored as comments.

When the user type fwp_user->authorize member tag is used, the user's permissions matrix is loaded from the database and a series of object instance variables in the format of 'mod_perm', which are retrieved using the ->getPrivilege member tag. Thus, we might have something like $fw_user->(getPrivilege:'news_add'), $fw_user->(getPrivilege:'news_update'), $fw_user->(getPrivilege:'article_approve') and so on. The value of the privilege is either a Y or an N.

With these privileges loaded into the user object, it is up to the application code to place conditional tests for specific permissions around protected fields or page blocks.

Note: a data set is an arbitrary set of information in which the application needs to provide selective control over viewing or editing access. A data set can be a single field, or an entire pageBlock.

Syntax

[output_none]
# permissions common to all modules
{common:
permission=label
permission=label
permission=label
}
# datasets and dataset-specific permissions
{dataset=label:
permission=label
permission=label
}
# datasets inherit common permissions
# so must defined even if there are no unique permissions
{dataset=label:
}
#
{dataset=label:
}
[/output_none]

Examples

To provide conditional access to a delete record button, the code might look like this:

if: ($fw_user->(getPrivilege:'news_delete')) == 'Y';
     <input type="image" src="/imgs/btnDelete.gif" alt="Delete" name="btnFormDelete" />
/if;

Below is a sample configuration file.

[output_none]
# authPerms_{name}.cnfg
# version:  2.0
# released: 2003-10-18
# fwp_user configuration
#
# permissions common to all modules
#
{common:
View=View
Add=Add
Updt=Update
Del=Delete
Apv=Approve
}
#
# datasets and dataset-specific permissions
#
{usrs=Users:
Reset=Reset
Exec=Executive
}
#
{refc=API Refc:
}
#
{page=Pages:
}
#
[/output_none]